Mozilla Developing More Attack-Aware Applications for Security

Mozilla wants to make its applications better at identifying malicious behavior in an approach it calls 'attack aware.'

Mozilla is taking a more proactive
approach to secure its applications against attacks.
The company is calling this
approach "attack aware." The idea, explained Mozilla Web security
specialist Michael Coates, is to make applications able to identify
unusual actions by the user that are deliberate attacks on applications.
The goal is to detect attempts to probe
an application for weaknesses and block attempts to damage a system while
distinguishing between attack behavior and user errors, such as typos.

"An attack-aware application
uses a blacklist-style detection of a potential attack," blogged Coates.
"It is important to realize that this is not intended to be a substitute for
secure design principles. Instead, it is an additional detection capability
layered on top of a securely designed application. Think of a bank that has
been built securely and then installs an alarm system to detect attempted
attacks."

The challenge to this
approach boils down to anomaly detection, said Chris Wysopal, CTO of
Veracode.
"There have been attempts to
do this at the network level, and I don't know of any successes there," he
said. "Network security ends up falling back on known signatures of attacks.
There is more hope for anomaly detection
at the application layer because the application has more context, but it
will still be difficult."
Coates agreed that doing
this effectively would require the correct selection of detection points
that minimize false positives.

"For example, detecting a
single tick (-) within a text field (which could be used for SQL injection
testing) is a bad detection point since there will be many false positives with
legitimate uses of that character (e.g., the name O'Malley, or just typos)," he
blogged.
A better detection point
would be detecting malicious values within password reset token URLs since
there is no reason a user would accidentally modify the URL to include a
potential SQL injection attack, he added. For that reason, false positive rates
would be low.
"This is only one example of
the detection points we are using. ... Currently, we are monitoring attack
reports from our attack-aware applications," Coates blogged. "This data is all
fed into a security-integration manager that allows us to monitor trends and
investigate individual attack reports. We are moving towards building a
system that will enable us to selectively block the offending user from the
application to prevent further attacks."